Shorewall and Counter-Strike Server HLDS

blacksoul · 12-17-2005, 08:49 PM

I'm having a bit of trouble with shorewall. I'm trying to setup a CS:S LAN server, I have everything installed, updated and set to go. I was getting ready to poke a hole in the firewall for the LAN side, and it seems I don't have a big enough stick. The main thing for CS:S is the port 27015. (In case anyone was unsure.

) Here's what I have in the Shorewall rules file:

Code:

#       Allow connections for gaming
#
# FOR TESTING CS:S SERVER
ACCEPT          loc             fw              udp     27000:27050
ACCEPT          fw              loc             udp     27000:27050
ACCEPT          loc             fw              tcp     27000:27050
ACCEPT          fw              loc             tcp     27000:27050
ACCEPT          fw              loc             udp     26900

ACCEPT          fw              loc             tcp     5273,7002
ACCEPT          loc             fw              udp     1200



# for updating steeam, CLOSE WHEN DONE!
#ACCEPT         all             all             tcp     27030:27045
#ACCEPT         all             all             udp     1200
#ACCEPT         all             all             udp     27000:27015

And when I try to connect from a client this is what I get in the log file:

Code:

Dec 17 19:45:11 servername kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.1 DST=10.10.10.20 LEN=150 TOS=0x00 PREC=0x00 TTL=64 ID=13 DF PROTO=UDP SPT=27015 DPT=1171 LEN=130

And the console I'm using to start the hlds server shows this when a client tries to connect.

Code:

NET_SendPacket ERROR: Operation not permitted

Just to make sure it was actually working

Code:

netstat -nlp | grep hlds
udp        0      0 0.0.0.0:27015           0.0.0.0:*                          12388/hlds_amd
udp        0      0 0.0.0.0:26900           0.0.0.0:*                          12388/hlds_amd

If anyone cares, or thinks maybe it's just the cs:s server, here's what the console shows after starting hlds

Code:

./hlds_run -game cstrike +map de_dust +maxplayers 12 -insecure -nomaster +sv_lan 1
Auto detecting CPU
Using AMD Optimised binary.
Auto-restarting the server on crash

Console initialized.
Protocol version 47
Exe version 1.1.2.5/Stdio (cstrike)
Exe build: 01:12:51 Dec  3 2005 (3327)
STEAM Auth Server
couldn't exec language.cfg
Server IP address 127.0.0.1:27015

Server logging data to file logs/L1217073.log
L 12/17/2005 - 19:36:48: Log file started (file "logs/L1217073.log") (game "cstrike") (version "47/1.1.2.5/Stdio/3327")
L 12/17/2005 - 19:36:48: Server cvar "sv_aim" = "0"
L 12/17/2005 - 19:36:48: Server cvar "sv_maxspeed" = "320"
L 12/17/2005 - 19:36:48: Server cvar "mp_timelimit" = "20"
Master server communication disabled.
L 12/17/2005 - 19:36:56: World triggered "Round_Start"
L 12/17/2005 - 19:41:56: Team "CT" triggered "Target_Saved" (CT "1") (T "0")
L 12/17/2005 - 19:41:56: World triggered "Round_End"
L 12/17/2005 - 19:42:07: World triggered "Round_Start"
NET_SendPacket ERROR: Operation not permitted
NET_SendPacket ERROR: Operation not permitted
L 12/17/2005 - 19:47:07: Team "CT" triggered "Target_Saved" (CT "2") (T "0")
L 12/17/2005 - 19:47:07: World triggered "Round_End"
L 12/17/2005 - 19:47:18: World triggered "Round_Start"

Capt_Caveman · 12-17-2005, 10:10 PM

The CS daemon looks like it's up and running alright. Looking at the kernel messages, it looks like outbound packets are being rejected for some reason. I'd guess that either you've put your rules for the CS service after a set of REJECT rules. Try putting them earlier in the firewall. I'm not that familiar with the specifics of shorewall, but it might also be that you're using the wrong zone for the rules themselves. Are you sure you want the use the "fw" zone rather than eth1? Check your /etc/shorewall/zones file to see if eth1 exists.

blacksoul · 12-18-2005, 01:43 AM

Thanks for the reply, this has been driving me crazy. The "fw" zone does, I believe refer to eth1. I attempted to replace it with eth1, and it errored. I also double checked, and I do have the ACCEPT statements prior to the REJECT statements.

Capt_Caveman · 12-18-2005, 02:16 AM

For the ports that you are allowing, are they *all* destination ports? If you look at the blocked packet, you can see the *source* port is 27015 and not the destination port (DPT=1171). If that's the case, then all the outbound traffic (fw->loc) will need 27000:27050 as the source port. If that doesn't work, post the output of iptables -vnL .

blacksoul · 12-18-2005, 09:58 PM

I'm not sure if they are or not, I'm still just kinda getting a handle on iptables/shorewall.

I know that the client will check port 27015 on the server. If so, would the statement for this look like

Code:

ACCEPT        loc        fw        udp        -        27000:27050
ACCEPT        fw         loc       udp        27000:27050

or

Code:

ACCEPT        loc       fw         udp        27000:27050
ACCEPT        fw        loc        udp        -        27000:27050

or neither?

Darin · 12-19-2005, 12:22 AM

Shorewall is something I know very little about, being a raw iptables kinda guy, but from what you posted it looks like you need to poke a hole for packets going out with source port 27015. The destination port will likely change with each new connection, the key is packets should be able to come in to destination port 27015, from any port, and out to any destination port, if they have a source port of 27015. Your firewall appears to be blocking the outbound ones.

Capt_Caveman · 12-19-2005, 01:02 AM

@blacksoul: I believe the second set.

loc->fw dport 27015
fw->loc sport 27015